A gang of thieves targeted cash machines belonging to an unnamed European bank
by uploading malicious software that would spit out banknotes on command

Criminals targeted a string of cash machines by cutting holes in the fascia to reach a USB port and upload malicious code that would spit out banknotes on command.

Speakers at the Chaos Computing Congress in Hamburg described the attacks, which affected an unnamed European bank that noticed several cash machines had been entirely emptied without the safe at the rear being damaged.

The bank increased security after the first attacks and were able to spot the gang drilling holes in the front of the machines, briefly inserting a USB flash drive and then patching up the damage afterwards to cover their tracks.

They were then able to return at a later date and instruct the compromised machine to dispense a specific amount of cash. To gain access they had to enter a 12-digit code, followed by a second code – this is believed to have been a failsafe to prevent individual members of the group from stealing money on their own. The second code constantly changed and the correct response could only be discovered by phoning another gang member.

Researchers found that the software then showed how many of each denomination banknote were in the machine, and asked how much of each it should dispense.

The BBC reports that the researchers, who asked to remain anonymous, said the gang must have had a “profound knowledge” of the workings of the cash machines in order to develop and successfully install the software.